When I'm discussing software security with my clients, questions invariably turn to application firewalls.

When I first heard of these products a few years ago, I was immediately predisposed to not liking them. They seemed to me to be yet another security product IT managers would try to plug into their networks to somehow retrofit security to the applications they're charged with running. It's long been my view that this sort of perimeter mentality doesn't work well and does little more than provide a false sense of security.

However, I was recently at a regional meeting of the Open Web Application Security Project (OWASP) in Belgium where the topic of application firewalls was heavily debated. Now, I have to admit my opinion shifted at least slightly during the discussions, and I wanted to take the opportunity to talk about that here. I'll warn you, though, I'm still not a believer, but I do recognize there can be circumstances when app firewalls can add value.

Let's start with a real quick description of the technology, and then I'll describe where it might be useful under certain circumstances.

Application firewalls, like their traditional counterparts, are meant to provide a layer of security in front of web applications. Normally, they can operate in either of two modes.

One mode of operation passively watches the network for indicators of known attack profiles, such as attempts to overflow software buffers, SQL injection, cross-site scripting, etc. When these are detected, they block the traffic from passing and/or provide detailed logging of the traffic.

A second mode of operation involves the app firewall interposing itself entirely between the web app and the outside world, and thoroughly screening all input/output to ensure it complies with the traffic the application is expecting. For example, when the application is expecting user input in the form of a name, address, phone number, etc., the app firewall ensures the incoming data contains what appears to be just that.

As you might reasonably expect, the second mode of operation provides a greater degree of protection to the web app, but also requires a far greater degree of integration to be effective. Blocking legitimate traffic from getting to the application is the quickest way of getting thrown out of the data center, after all.

Impede business at your peril!

So, all of this sounds pretty good, right? Then why do you suppose I'm not a supporter of the technology?

My biggest fear with app firewalls is that they lead software developers to not pay adequate attention to the security of their applications because ''someone else is taking care of that''. That sort of crutch can only result in bad application security, in my view, and will inevitably cause you grief. Mark my words on that.

I heard an argument at that OWASP meeting, however, that made me pause in my opposition. In an environment that includes a large number of legacy apps or one that includes a large number of third-party apps, there could well be some value to app firewalls. For one thing, they can represent a means of enhancing the security of these deployed apps that is more cost effective than trying to retrofit software security into them from the ground up.

Let's face it, no enterprise that has all of a sudden seen the software security light is going to go back and redesign/rewrite all of their apps securely in one fell swoop. If their deployed apps are vulnerable to SQL injection and other web app ailments, plugging some web app firewall technologies in front of them can be a cost effective means of getting to the goal without breaking the bank.

That is, if app firewalls are used wisely, they can effectively augment a software security initiative. I maintain app firewalls are not a suitable alternative to software security, but they can provide some immediate relief to real world legacy software problems.

There's another benefit to web app firewalls I would be remiss if I didn't mention here. They can and do add a level of event logging at an application layer all too many applications are sorely lacking. As someone who has spent years running incident response operations, I can say that, in and of itself, would be a major benefit in production environments.

Again, though, I still feel they're not a cure for the problem of writing bad code.

So, this certainly falls short of being a blanket endorsement for web app firewalls, but I feel they're a pragmatic compromise to practical circumstances. They can add value, but should be wielded with due caution. To deploy web app firewalls at the expense of an otherwise effective software security initiative is the real danger I feel should be avoided at all cost. But they can help us get to where we need to be a bit sooner.

Those of you who are interested in learning more about application firewall technologies can find some additional reading on the Department of Homeland Security sponsored website, Build Security In. They have a paper (that I co-wrote) that can be found here.